Cyble Vulnerability Intelligence researchers tracked 996 vulnerabilities in the last week, and more than 140 already have a publicly available Proof-of-Concept (PoC), raising the likelihood of real-world attacks. 

A total of 74 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 18 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the more significant IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-49553 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Connect versions 12.9 and earlier. The vulnerability could potentially allow an attacker to execute arbitrary malicious scripts in a victim’s browser by tricking the user into visiting a crafted web page. 

CVE-2025-49201 is a critical weak authentication vulnerability affecting specific versions of Fortinet’s FortiPAM and FortiSwitchManager products that could potentially allow an attacker to execute unauthorized code or commands by using specially crafted HTTP requests. 

CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog from Microsoft’s monthly Patch Tuesday update. They include CVE-2025-59230, an elevation-of-privilege flaw in Windows Remote Access Connection Manager that could allow an authorized local attacker to gain system-level privileges; CVE-2025-24990, a high-severity vulnerability arising from the legacy Agere Modem driver; and CVE-2025-47827, a Secure Boot bypass vulnerability linked to a third-party IGEL OS component that allows unsigned root filesystems to load, compromising boot integrity. 

CVE-2025-61622 is a critical security vulnerability in Apache Fory’s Python module, the Pyfory library, and its predecessor Pyfury. The flaw involves the unsafe deserialization of untrusted data, specifically due to a pickle-based fallback serializer used during deserialization. An attacker could potentially exploit this by crafting malicious serialized data that triggers the vulnerable pickle.loads function, leading to remote code execution (RCE) on the affected system without requiring any privileges or user interaction. Users are urged to upgrade to pyfory version 0.12.3 or later, which has removed the pickle fallback serializer. 

CVE-2025-11462 is a critical local privilege escalation vulnerability in the AWS Client VPN for macOS. If an attacker injects crafted API calls with arbitrary code into the log file, it could lead to remote code execution with elevated root privileges. Users are urged to upgrade to AWS VPN Client for macOS 5.2.1 or the latest version. 

CVE-2025-61882 is a critical remote code execution (RCE) vulnerability in Oracle E-Business Suite (EBS). The vulnerability specifically affects the Oracle Concurrent Processing product and its BI Publisher Integration component, potentially allowing an unauthenticated attacker with network access via HTTP to remotely execute arbitrary code on the affected system. Reports suggest the vulnerability has been actively exploited in the wild since at least August 2025, notably by the Cl0p ransomware group. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2025-27915 has also been added to CISA’s KEV catalog. The high-severity stored cross-site scripting (XSS) vulnerability in the Zimbra Collaboration Suite (ZCS) Classic Web Client could be used by attackers to perform unauthorized actions such as modifying email filters to redirect messages to attacker-controlled addresses, exfiltrating sensitive data. 

CVE-2025-49844, also known as “RediShell,” is a critical remote code execution vulnerability in the widely used Redis in-memory data store. The flaw could potentially allow an authenticated user to send a specially crafted Lua script that manipulates the garbage collector, triggering the use-after-free condition and potentially leading to remote code execution on the Redis host system. The issue is fixed in version 8.2.2, and can also be mitigated by preventing users from executing Lua scripts. 

CVE-2025-59489 is a high-severity vulnerability in the Unity Runtime affecting Unity-built applications on Android, Windows, macOS, and Linux, potentially allowing an attacker to inject malicious startup parameters that the Unity Runtime processes as debugging commands. Affected applications must be rebuilt and redeployed. 

OpenSSL Vulnerabilities Discussed on the Dark Web 

Cyble dark web researchers observed threat actors on underground forums discussing the exploitation of a pair of OpenSSL vulnerabilities. 

CVE-2025-9230 is a high-severity vulnerability affecting OpenSSL’s CMS (Cryptographic Message Syntax) message decryption functionality. The vulnerability affects multiple OpenSSL versions, specifically impacting applications attempting to decrypt CMS messages encrypted using password-based encryption (PWRI). The flaw stems from an incorrect check in the kek_unwrap_key() function, where the unwrapped key size validation is off by 8 bytes, leading to an out-of-bounds read of up to 8 bytes and an out-of-bounds write of up to 4 bytes. This memory corruption could result in denial of service or potential execution of attacker-supplied code. 

CVE-2025-9232 is an out-of-bounds read vulnerability in OpenSSL’s HTTP client API functions. The vulnerability could trigger an out-of-bounds read that leads to a crash and potential Denial of Service (DoS) when the ‘no_proxy’ environment variable is set and the host portion of an HTTP URL authority component is an IPv6 address. The issue stems from a missing terminating NUL byte after a strncpy() call in the use_proxy() function within the crypto/http/http_lib.c file, classified as CWE-125 (Out-of-bounds Read). 

ICS Vulnerabilities 

Cyble researchers also flagged several industrial control system (ICS) vulnerabilities as meriting high-priority patching and mitigation. 

CVE-2025-54811 is a medium-severity Reliance on Undefined, Unspecified, or Implementation-Defined Behavior vulnerability (CWE-758) in OpenPLC_V3 versions prior to pull request #292. Successful exploitation could allow an attacker to corrupt the program’s database during upload; on restart, the runtime may fail to start, resulting in persistent denial of service. The vulnerability potentially affects organizations in Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems. 

CVE-2025-10653 is a high-severity Authentication Bypass vulnerability affecting Raise3D Pro2 Series 3D Printers. Exploitation could potentially allow an unauthenticated attacker to bypass security controls, access internal file systems, tamper with or upload malicious firmware, and modify or exfiltrate stored data. The vulnerability potentially affects organizations in the Manufacturing sector. 

CVE-2025-40765 is a critical information disclosure vulnerability in Siemens TeleControl Server Basic that could potentially allow an unauthenticated remote attacker to obtain password hashes of users. 

Rockwell Automation Industrial Data Center (IDC) with Cisco Switching, Stratix and other products, and Siemens HyperLynx and other products are affected by vulnerabilities that are in CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

Conclusion 

The high number of vulnerabilities under active exploitation recently highlights the need for rapid, well-targeted actions by security teams to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.  

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.